LAW

The development of data privacy regulation in Costa Rica is divided among two laws. The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization. The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, which was enacted to regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited.

DEFINITION OF PERSONAL DATA

Personal information contained in public or private registries (e.g. medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons/entities with a "need to know" such information.

DEFINITION OF SENSITIVE PERSONAL DATA

Personal information relating to ideological orientation, creed, sexual preferences. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.

NATIONAL DATA PROTECTION AUTHORITY

Pursuant to Law No. 8968, the Agency for the Protection of Individual's Data, hereinafter the "Agency" is the entity charged with enforcing compliance with the regulation. The Constitutional Court also has jurisdiction to hear claims alleging violations of the Laws.

REGISTRATION

Under Law 8968, companies that manage databases containing personal information and that sell such personal information must register with the Agency.

DATA PROTECTION OFFICERS

There is no requirement for a data protection officer.

COLLECTION AND PROCESSING

Any company may store and manage a database containing personal information if the following rules are respected: (i) when accumulating personal information, private companies and/or the government must respect the "sphere of privacy" to which all individuals are entitled; (ii) companies that maintain personal information about others in their databases must ensure that such information is (a) materially truthful; (b) complete; (c) accurate; and, (d) individuals have access to their personal data and must be entitled to dispute any erroneous or misleading information about them.

Companies that manage databases containing personal information and that sell such personal information must comply with Law 8968, including by (i) reporting the company and the database to the Agency, (ii) reporting the technical issues related to the security of the database, (iii) protecting and respecting confidentiality issues, (iv) securing the information they maintain, and (v) establishing a proceeding to review requests by individuals to review and amend any error or mistakes in the database.

TRANSFER

Transfer of personal information is authorised if: (i) data subjects give written consent; or (ii) information transferred is public.

SECURITY

Any company or individual using and/or managing this type of information must take all necessary steps to guarantee that the information is kept in a safe environment. If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.

BREACH NOTIFICATION

There is no mandatory requirement. Nonetheless, if there is a breach the entity is liable.

ENFORCEMENT

All claims can be brought directly to: (i) the entity, (ii) the Agency or (iii) the Constitutional Court.

ELECTRONIC MARKETING

General rules of data protection will apply. There is little to no regulation of electronic marketing. However, pursuant to the Telecommunications Act, marketing companies may not advertise via phone unless they have express written consent from the data subject.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personal information, do apply.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com